@@ -64,7 +64,7 @@ Creating and Updating a VPN Customer Gateway
6464^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
6565
6666.. note ::
67- A VPN customer gateway can be connected to only one VPN gateway at a time.
67+ A VPN Customer Gateway can be connected to only one VPN gateway at a time.
6868
6969To add a VPN Customer Gateway:
7070
@@ -80,7 +80,7 @@ To add a VPN Customer Gateway:
8080
8181 Provide the following information:
8282
83- - **Name **: A unique name for the VPN customer gateway you create.
83+ - **Name **: A unique name for the VPN Customer Gateway you create.
8484
8585 - **Gateway **: The IP address for the remote gateway.
8686
@@ -115,13 +115,19 @@ To add a VPN Customer Gateway:
115115 confirming that the remote gateway has a matching Preshared Key.
116116
117117 - **IKE Hash **: The IKE hash for phase-1. The supported hash
118- algorithms are SHA1 and MD5.
118+ algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5.
119+
120+ - **IKE Version **: The IKE Version to use between ike (autoselect), ikev1, or ikev2.
121+ Connections marked with 'ike' will use 'ikev2' when initiating,
122+ but accept any protocol version when responding. Defaults to 'ike'.
119123
120124 - **IKE DH **: A public-key cryptography protocol which allows two
121125 parties to establish a shared secret over an insecure
122126 communications channel. The 1536-bit Diffie-Hellman group is used
123127 within IKE to establish session keys. The supported options are
124- None, Group-5 (1536-bit) and Group-2 (1024-bit).
128+ None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit),
129+ Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and
130+ Group-18 (8192-bit).
125131
126132 - **ESP Encryption **: Encapsulating Security Payload (ESP) algorithm
127133 within phase-2. The supported encryption algorithms are AES128,
@@ -134,18 +140,19 @@ To add a VPN Customer Gateway:
134140 extracted from the Diffie-Hellman key exchange in phase-1, to
135141 provide session keys to use in protecting the VPN data flow.
136142
137- - **ESP Hash **: Encapsulating Security Payload (ESP) hash for
138- phase-2. Supported hash algorithms are SHA1 and MD5.
143+ - **ESP Hash **: Encapsulating Security Payload (ESP) hash for phase-2.
144+ Supported hash algorithms are SHA1, SHA256, SHA384 and SHA512 and MD5.
139145
140146 - **Perfect Forward Secrecy **: Perfect Forward Secrecy (or PFS) is
141147 the property that ensures that a session key derived from a set of
142148 long-term public and private keys will not be compromised. This
143149 property enforces a new Diffie-Hellman key exchange. It provides
144150 the keying material that has greater key material life and thereby
145151 greater resistance to cryptographic attacks. The available options
146- are None, Group-5 (1536-bit) and Group-2 (1024-bit). The security
147- of the key exchanges increase as the DH groups grow larger, as
148- does the time of the exchanges.
152+ are None, Group-2 (1024-bit), Group-5 (1536-bit), Group-14 (2048-bit),
153+ Group-15 (3072-bit), Group-16 (4096-bit), Group-17 (6144-bit) and
154+ Group-18 (8192-bit). The security of the key exchanges increase as
155+ the DH groups grow larger, as does the time of the exchanges.
149156
150157 .. note ::
151158 When PFS is turned on, for every negotiation of a new phase-2 SA
@@ -172,27 +179,137 @@ To add a VPN Customer Gateway:
172179 - **Force UDP Encapsulation of ESP Packets **: Force Encapsulation for
173180 NAT traversal
174181
182+ .. note ::
183+ If the administrator has configured excluded cryptographic
184+ parameters, those options will not appear in the form. If obsolete
185+ parameters are configured, those options will be displayed with a
186+ warning message indicating they are obsolete and should be avoided.
187+
175188#. Click OK.
176189
177190
191+ Configuring Excluded and Obsolete VPN Customer Gateway Parameters
192+ ''''''''''''''''''''''''''''''''''''''''''''''''
193+
194+ CloudStack provides administrators with configuration settings to enforce
195+ modern security standards by marking certain cryptographic algorithms and
196+ parameters as excluded or obsolete for VPN Customer Gateway creation.
197+
198+ **Excluded Parameters: **
199+
200+ These parameters are completely hidden from users and cannot be used
201+ while creating or updating VPN Customer Gateways:
202+
203+ - **vpn.customer.gateway.excluded.encryption.algorithms **: Comma-separated
204+ list of encryption algorithms to exclude. Applies to both phases.
205+
206+ - **vpn.customer.gateway.excluded.hashing.algorithms **: Comma-separated
207+ list of hashing algorithms to exclude. Applies to both phases.
208+
209+ - **vpn.customer.gateway.excluded.ike.versions **: Comma-separated list of
210+ IKE versions to exclude.
211+
212+ - **vpn.customer.gateway.excluded.dh.group **: Comma-separated list of
213+ Diffie-Hellman groups to exclude. Applies to both phases.
214+
215+ **Obsolete Parameters: **
216+
217+ These parameters are shown with a warning message, allowing existing
218+ deployments to continue functioning while encouraging migration to more
219+ secure alternatives:
220+
221+ - **vpn.customer.gateway.obsolete.encryption.algorithms **: Comma-separated
222+ list of encryption algorithms marked as obsolete. Applies to both phases.
223+
224+ - **vpn.customer.gateway.obsolete.hashing.algorithms **: Comma-separated
225+ list of hashing algorithms marked as obsolete. Applies to phases.
226+
227+ - **vpn.customer.gateway.obsolete.ike.versions **: Comma-separated list of
228+ IKE versions marked as obsolete.
229+
230+ - **vpn.customer.gateway.obsolete.dh.group **: Comma-separated list of
231+ Diffie-Hellman groups marked as obsolete. Applies to both phases.
232+
233+ **Behavior: **
234+
235+ - **Excluded parameters **: Not shown in the Create and Update VPN Customer
236+ Gateway forms. Users cannot select these options for new gateways.
237+
238+ - **Obsolete parameters **: Shown with a warning message in the Create and
239+ Update forms, indicating they are deprecated and should be avoided.
240+
241+ - **Existing gateways **: If a VPN Customer Gateway already uses excluded or
242+ obsolete parameters:
243+
244+ - A warning icon is displayed next to the gateway name with a message
245+ prompting users to change the obsolete or excluded parameters.
246+
247+ - The Update VPN Customer Gateway form displays the setting with a
248+ warning message encouraging users to change it to a more secure
249+ alternative.
250+
251+ - The ``listVpnCustomerGateways `` API response includes two new fields:
252+
253+ - **obsoleteparameters **: List of all obsolete parameters used by the gateway
254+
255+ - **excludedparameters **: List of all excluded parameters used by the gateway
256+
257+ - The ``listCapabilities `` API response includes a new field containing
258+ the list of excluded and obsolete VPN Customer Gateway parameters, but
259+ only if these configuration settings are configured by the operator.
260+
261+ **Events and Alerts: **
262+
263+ There is a thread that run periodically to check for VPN Customer Gateways which
264+ are using excluded or obsolete cryptographic parameters.The interval at which this thread
265+ runs is configurable using the setting **vpn.customer.gateway.obsolete.check.interval **.
266+ The unit is in hours and the default value is 0 which means it is disabled by default.
267+
268+ Each time the thread runs, it generates Events for each VPN Customer Gateway which is
269+ using excluded or obsolete parameters.
270+ It also generates Alerts to the Administrator about the number of VPN Customer Gateways
271+ that are using excluded and/or obsolete parameters.
272+
273+ **Configuration Scope: **
274+
275+ The obsolete and excluded settings support Domain-level configuration.
276+ When set at Domain level, the values override global settings for that specific Domain only.
277+
278+ - Global Settings: Apply to all Domains without specific overrides
279+
280+ - Domain Settings: Override global settings for that specific Domain only
281+
282+ Note: Domain settings do not cascade to child Domains. Each child Domain must be configured individually,
283+ or it will inherit from global settings (not from its parent Domain).
284+
285+ To reset a Domain-specific override, navigate to Domains → [Domain Name] → Settings and reset the value.
286+ This will cause the Domain to fall back to global settings
287+
178288Updating and Removing a VPN Customer Gateway
179289''''''''''''''''''''''''''''''''''''''''''''
180290
181291You can update a customer gateway either with no VPN connection, or
182292related VPN connection is in error state.
183293
294+ .. note ::
295+ If a VPN Customer Gateway is using excluded or obsolete cryptographic
296+ parameters (as configured by your CloudStack operator), a warning icon
297+ will be displayed next to the gateway name. When editing such a gateway,
298+ the Update form will display warnings for any obsolete or excluded
299+ parameters, encouraging you to change them to more secure alternatives.
300+
184301#. Log in to the CloudStack UI as an administrator or end user.
185302
186303#. In the left navigation, choose Network.
187304
188305#. In the Select view, select VPN Customer Gateway.
189306
190- #. Select the VPN customer gateway you want to work with.
307+ #. Select the VPN Customer Gateway you want to work with.
191308
192309#. To modify the required parameters, click the Edit VPN Customer
193310 Gateway button |vpn-edit-icon.png |
194311
195- #. To remove the VPN customer gateway , click the Delete VPN Customer
312+ #. To remove the VPN Customer Gateway , click the Delete VPN Customer
196313 Gateway button |delete.png |
197314
198315#. Click OK.
@@ -364,7 +481,7 @@ This feature is supported on all the hypervisors.
364481 For more information, see `"Creating a VPN gateway
365482 for the VPC" <#creating-a-vpn-gateway-for-the-vpc> `_.
366483
367- #. Create VPN customer gateway for both the VPCs.
484+ #. Create VPN Customer Gateway for both the VPCs.
368485
369486 For more information, see `"Creating and Updating
370487 a VPN Customer Gateway" <#creating-and-updating-a-vpn-customer-gateway> `_.
@@ -464,6 +581,6 @@ Restarting and Removing a VPN Connection
464581.. |reset-vpn.png | image :: /_static/images/reset-vpn.png
465582 :alt: button to reset a VPN connection
466583.. |delete.png | image :: /_static/images/delete-button.png
467- :alt: button to remove a VPN customer gateway .
584+ :alt: button to remove a VPN Customer Gateway .
468585.. |vpn-edit-icon.png | image :: /_static/images/edit-icon.png
469586 :alt: button to edit.
0 commit comments